Full Report
Trends of major APT groups by country 1) North Korea Since November 2024, the North Korean APT group has been exploiting the vulnerability of South Korean Internet financial security software. Similar attacks have been carried out in the past, and the threat actors have been launching attacks based on their understanding of […]
Analysis Summary
# Threat Actor: Konni
## Attribution & Identity
Attributed to North Korea.
## Activity Summary
Group distributed malware via spear-phishing attacks impersonating a South Korean government agency (National Human Rights Commission and Korean National Police Agency) between January and March 2025, targeting activists affiliated with a North Korea human rights and inter-Korean NGO.
## Tactics, Techniques & Procedures
- Spear-phishing disguised as a government agency.
- Prompting attacks by asking recipients to reply to a message before sending the malicious file.
- Using Non-Executable Malware (LNK file and AutoIT script).
- Attempt to steal data and compromise the device.
## Targeting
- Sectors: Not explicitly detailed beyond NGO affiliation.
- Geography: South Korea (Implied by impersonated agencies and targets).
- Victims: Activists affiliated with a North Korea human rights and inter-Korean NGO.
## Tools & Infrastructure
- Malware families used: LNK shortcut file, AutoIT script.
- Infrastructure (C2, domains, IPs): Not specified.
## Implications
The group demonstrates operational discipline in targeting specific activist communities within South Korea using localized impersonations (government agencies) and fileless/non-executable techniques to evade basic detection.
## Mitigations
- Enhanced vigilance against spear-phishing emails originating from seemingly legitimate South Korean government entities.
- Implement controls blocking execution from LNK files or AutoIT scripts originating from untrusted sources.
***
# Threat Actor: Lazarus Group
## Attribution & Identity
North Korean APT group. Utilizes strategies seen in past campaigns like Bookcode, DeathNote, and SIGNBT.
## Activity Summary
Conducted "Operation SyncHole" from November 2024 to March 2025, breaching at least six South Korean industrial organizations by exploiting vulnerabilities in South Korean software (watering hole attack).
## Tactics, Techniques & Procedures
- Watering hole attack.
- Exploiting vulnerabilities in third-party software (specifically Innorix Agent and Cross EX).
- Executing malware in memory.
- Lateral movement post-breach.
## Targeting
- Sectors: Software, IT, finance, semiconductor manufacturing, and telecommunications industries.
- Geography: South Korea.
- Victims: At least six organizations in South Korea.
## Tools & Infrastructure
- Malware families used: ThreatNeedle, wAgent, Agamemnon downloader, SIGNBT, COPPERHEDGE.
- Infrastructure (C2, domains, IPs): Not specified.
## Implications
Lazarus continues to show a deep understanding and systematic exploitation of the intricacies of the South Korean software ecosystem, posing a significant supply chain risk to critical infrastructure sectors.
## Mitigations
- Rigorous vetting and patching of third-party software, especially locally utilized Internet financial security software components like Innorix Agent and Cross EX.
- Monitor for in-memory execution artifacts and lateral movement indicative of known Lazarus TTPs.
***
# Threat Actor: APT41
## Attribution & Identity
Chinese APT group.
## Activity Summary
Brief exposure of infrastructure in March 2025 revealed reconnaissance and exploitation tools targeting vulnerable Fortinet devices.
## Tactics, Techniques & Procedures
- Exploiting vulnerabilities in Fortinet firewall/VPN devices (CVE-2024-23108, CVE-2024-23109).
- Executing CLI commands via an unauthorized WebSocket endpoint.
- Payload concealment using AES and XOR encryption.
- Network reconnaissance and internal portal exploration.
- Using encrypted web shells that decrypt and execute payloads in memory.
## Targeting
- Sectors: Cosmetics/Manufacturing (Implied).
- Geography: Japan.
- Victims: Japanese cosmetics company Shiseido.
## Tools & Infrastructure
- Malware families used: KeyPlug backdoor, bx.php (PHP web shell).
- Tools: 1.py, ws_test.py (Exploitation script), fscan (Port scanning tool).
- Infrastructure (C2, domains, IPs): Not specified.
## Implications
APT41 remains active in large regional economies like Japan, leveraging known critical vulnerabilities (Fortinet) for initial access and employing layered obfuscation (encryption, in-memory execution) to achieve reconnaissance goals.
## Mitigations
- Immediate remediation and patching of all Fortinet devices for reported vulnerabilities (CVE-2024-23108, CVE-2024-23109).
- Monitor for unusual WebSocket traffic or CLI command execution on network perimeter devices.
- Implement behavioral detection for in-memory payload decryption.
***
# Threat Actor: Earth Bluecrow
## Attribution & Identity
Chinese APT group.
## Activity Summary
This group has been active from 2021 to the present, utilizing the BPFDoor backdoor for cyber espionage activities across Asia and the Middle East. A breach of a Korean telecommunications company in April 2025 is under investigation for possible association.
## Tactics, Techniques & Procedures
- Utilizing Berkeley Packet Filter (BPF) for network packet filtering and stealthy communication.
- Backdoor activation triggered by a network packet containing a specific ‘magic sequence’.
- Concealment achieved through process name change without opening listening ports.
- Communication via TCP, UDP, and ICMP protocols.
- Controlled via password authentication and encrypted connections.
- Lateral movement via reverse shell deployment.
## Targeting
- Sectors: Communication, finance, and retail industries.
- Geography: South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
- Victims: Telecommunications company (potential link in April 2025), various organizations in specified countries.
## Tools & Infrastructure
- Malware families used: BPFDoor backdoor (Backdoor.Linux.BPFDOOR).
- Infrastructure (C2, domains, IPs): Not specified.
## Implications
Earth Bluecrow specializes in long-term, low-observable espionage by utilizing kernel-level techniques (BPF) to bypass traditional network monitoring tools, focusing heavily on critical infrastructure sectors across Asia and the Middle East.
## Mitigations
- Implement advanced endpoint monitoring capable of detecting process anomalies, especially unusual process renaming unrelated to expected system function.
- Monitor network traffic for unexpected packet control sequences or unauthorized communication across TCP/UDP/ICMP layers bypassing standard firewall rules configured for application protocols.